ben.carrasco/prowler
1
0
Fork 0
mirror of https://github.com/prowler-cloud/prowler.git synced 2026-04-15 00:57:55 +00:00
Code Issues Packages Projects Releases Wiki Activity

docs(threat-detection): Add threat-detection docs (#3757)

Browse Source
This commit is contained in:
Pedro Martín
2024-04-12 10:36:55 +02:00
committed by GitHub
parent ad3b0b33f2
commit 82bd4e940f
2 changed files with 25 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
docs/tutorials/aws/threat-detection.md Normal file
View File

@@ -0,0 +1,24 @@
# Threat Detection
Prowler allows you to do threat detection in AWS based on the CloudTrail log records. To run checks related with threat detection use:
```
prowler aws --category threat-detection
```
This comand will run these checks:
* `cloudtrail_threat_detection_privilege_escalation`
* `cloudtrail_threat_detection_enumeration`
???+ note
Threat Detection checks will be only executed using `--category threat-detection` flag due to preformance.
## Config File
If you want to manage the behavior of the Threat Detection checks you can edit `config.yaml` file from `/prowler/config`. In this file you can edit the following attributes related with Threat Detection:
* `threat_detection_privilege_escalation_threshold`: determines the percentage of actions found to decide if it is an privilege_scalation attack event, by default is 0.1 (10%)
* `threat_detection_privilege_escalation_minutes`: it is the past minutes to search from now for privilege_escalation attacks, by default is 1440 minutes (24 hours)
* `threat_detection_privilege_escalation_actions`: these are the default actions related with priviledge scalation.
* `threat_detection_enumeration_threshold`: determines the percentage of actions found to decide if it is an enumeration attack event, by default is 0.1 (10%)
* `threat_detection_enumeration_minutes`: it is the past minutes to search from now for enumeration attacks, by default is 1440 minutes (24 hours)
* `threat_detection_enumeration_actions`: these are the default actions related with enumeration attacks.

1
mkdocs.yml
View File

@@ -77,6 +77,7 @@ nav:
- Tag-based Scan: tutorials/aws/tag-based-scan.md - Tag-based Scan: tutorials/aws/tag-based-scan.md
- Resource ARNs based Scan: tutorials/aws/resource-arn-based-scan.md - Resource ARNs based Scan: tutorials/aws/resource-arn-based-scan.md
- Boto3 Configuration: tutorials/aws/boto3-configuration.md - Boto3 Configuration: tutorials/aws/boto3-configuration.md
- Threat Detection: tutorials/aws/threat-detection.md
- Azure: - Azure:
- Authentication: tutorials/azure/authentication.md - Authentication: tutorials/azure/authentication.md
- Non default clouds: tutorials/azure/use-non-default-cloud.md - Non default clouds: tutorials/azure/use-non-default-cloud.md